KR102048469B1 - System, method and user terminal for private network access control using untrusted access network - Google Patents

Abstract

The present invention provides a dedicated network access control system, method and user terminal using an untrusted access network. The system stores an access profile of a user terminal, and receives an authentication server for performing user authentication with respect to the user terminal, and receives a dedicated network access request of the user terminal through an untrusted access network, from the user terminal or the authentication server. An evolved packet data gateway (ePDG) requesting a packet data network gateway (PGW) to create a communication session between the user terminal and a dedicated network using the received connection profile of the user terminal. The untrusted access network includes a communication network that does not require a Universal Subscriber Identity Module (USIM) when connecting to a network, or a communication network of another operator who is not a carrier that provides the dedicated network.

Description

Dedicated network access control system, method and user terminal using untrusted access network {SYSTEM, METHOD AND USER TERMINAL FOR PRIVATE NETWORK ACCESS CONTROL USING UNTRUSTED ACCESS NETWORK}

The present invention relates to a dedicated network access control system, method and user terminal using an untrusted access network.

Conventionally, as a method of accessing a private network from a remote location, there are a virtual private network (VPN) technology and a private network Long Term Evolution (LTE) technology.

Virtual Private Network (VPN) technology is a technology that enables remote network access using physically different IP networks using high-level protocols, such as Secure Sockets Layer (SSL) and Internet Protocol Security (IPsec). Virtual private network (VPN) technology configures a VPN server and connects to a VPN client. After establishing a traffic tunnel in an access section, a VPN can be accessed from a remote location, and Internet connectivity (LAN, WiFi) must be completed.

Dedicated network LTE technology is a technology that allows access to a dedicated network using a delimiter such as an access point name (APN) in the LTE network. This technology allows a user terminal to access a dedicated network through a dedicated packet data network gateway (PGW) of the LTE communication system. Therefore, this technology sets or selects the APN used for LTE access as the APN of a private network, for example, abccompany.lte.com, and uses an LTE access and subscriber module (Universal Subscriber Identity Module, USIM). Authentication must be possible.

However, when the dedicated network subscriber is an enterprise subscriber or a group subscriber, the corresponding private network service cannot be used except for a terminal subscribed to a communication service provider providing a dedicated network service among member terminals belonging to a company or a group.

Therefore, the private network subscriber has a burden of applying for a private network service or operating a general virtual private network (VPN) service for each member for a member who does not subscribe to a communication service provider that provides a private network service.

In general, in order for employees of a company to work remotely, such as e-mail, DB access, and in-house server work, business terminals such as laptops and pads must be accessible to the company's intranet or company network. . Enterprises typically install and maintain a VPN server, and require employees to deploy and use a VPN client.

However, VPNs are provided on the Internet layer in the hierarchy, and the VPN itself does not provide an Internet connection environment, and the company has a burden of having to manage a separate VPN server to manage operation, account management, and VPN client deployment. Have

On the other hand, in the case of a mobile terminal such as a smart phone, only the communication service provider that supplies the corresponding subscriber module (USIM) of the terminal may authenticate the subscriber module (USIM). That is, when a dedicated network subscriber subscribes to a dedicated network service of A carrier, the other mobile terminal is connected to a relay terminal provided by a communication service provider providing a dedicated network service, for example, via an LTE egg or an LTE router. You must be able to access A's private network. Therefore, in order to access a dedicated network, a separate relay terminal must always be carried, which causes inconvenience to a user due to mobility and usability limitations.

In addition, in the case of a PC or a tablet PC without an LTE modem or a subscriber module (USIM), a separate VPN server is required to access a dedicated network through a Wi-Fi network.

In addition, in a roaming situation, since it is not possible to connect to a dedicated network through a Wi-Fi network, for this purpose, the LTE access network of the visited network must be used, but there is a problem in that the usage fee is expensive.

As such, when the dedicated network subscriber is a corporate or group subscriber, the users always have a relay terminal so as not to limit the dedicated network access terminal to a specific communication terminal terminal or limit its use to a mobile terminal equipped with a subscriber module (USIM). Enterprise subscribers need to build a VPN server.

The problem to be solved by the present invention is that the user terminal that does not use the subscriber module (USIM) or access through the untrusted access network (Untrusted Access Network) that can not authenticate the subscriber module (USIM) can be connected to a dedicated network of a specific operator It is to provide a system, a method and a user terminal to control.

Another problem to be solved by the present invention is a system for controlling an access to a private network without a virtual private network (VPN) server, after performing the authentication procedure using a mobile terminal subscribed to the LTE dedicated network service, only the untrusted access network, It is to provide a method and a user terminal.

According to one aspect of the present invention, a dedicated network access control system stores an access profile of a user terminal, performs an authentication server for the user terminal, and makes a request for access to the dedicated network of the user terminal through an untrusted access network. When received, an evolved packet requesting a packet data network gateway (PGW) to create a communication session between the user terminal and a dedicated network using a connection profile of the user terminal received from the user terminal or the authentication server. A non-trusted access network includes an Envolved Packet Data Gateway (ePDG), wherein the untrusted access network includes a communication network that does not require a Universal Subscriber Identity Module (USIM) or a service provider that provides the dedicated network. It includes the network of.

The access profile may include terminal identification information including at least one of a virtual international mobile subscriber identify (IMSI), a mobile mobile directory directory (MSDN), a virtual international mobile equipment identity (IMEI), and an access unit (APN). Point Name) and subscriber authentication key.

The evolved packet data gateway (ePDG) performs an access profile authentication to confirm whether the user terminal is authorized to access the private network based on the access profile in association with the authentication server, and succeeds in the access profile authentication. If so, the packet data network gateway (PGW) may request the creation of the communication session.

The authentication server receives a dedicated network access authentication request from an authentication terminal separate from the user terminal before the evolved packet data gateway (ePDG) receives the dedicated network access request of the user terminal, and sends a one-time password to the authentication terminal. (One Time Password, OTP), and upon receiving a dedicated network access request from the evolved packet data gateway (ePDG), performs authentication to determine whether the one-time password (OTP) is valid together with the access profile authentication. When the authentication server succeeds in all the authentications, the evolved packet data gateway (ePDG) requests the creation of the communication session, the dedicated network connection request is transmitted through a mobile communication network, and the dedicated network connection request is It can be delivered over an untrusted access network.

The authentication server may check the dedicated network access authority of the user terminal for the dedicated network access authentication request based on the telephone number of the authentication terminal, and if it is determined that the dedicated network access authority is present, the one-time password (OTP) may be transmitted. .

The authentication server may separately perform an operation of transmitting a dedicated network access authentication response to the authentication terminal and an operation of transmitting a message including the one-time password (OTP) to the authentication terminal.

The authentication server receives an authentication request from a dedicated application executed in the user terminal, sends an OTP (One Time Password) to a phone number included in the authentication request, and receives the OTP received from the dedicated application, and the sending. If one OTP matches, the connection profile of the user terminal is transmitted to the user terminal, and the evolved packet data gateway (ePDG) may receive a dedicated network access request including the connection profile from the user terminal.

When the evolved packet data gateway (ePDG) receives a dedicated network access request including an ID and a password from a dedicated application executed in the user terminal, the ePDG transmits the ID and password to the authentication server to transmit the ID and password to the authentication server. And a connection profile of the user terminal confirmed through the password.

The evolved packet data gateway (ePDG) stores a connection profile of the user terminal received from the authentication server together with a connection history of the user terminal in a local cache, and when the dedicated network access request is received, When there is no stored connection profile, the authentication server may request and receive the authentication server.

When the authentication server receives a registration request from a dedicated application executed in the user terminal, the authentication server registers the ID and password included in the registration request, and the ID and password received from the evolved packet data gateway (ePDG). If the information is registered, the access profile of the user terminal may be transmitted.

The authentication server sends an OTP (One Time Password) to the phone number verified through the ID and password, and requests the dedicated application to connect the user terminal if the received OTP matches the sent OTP. Send a profile to the evolved packet data gateway (ePDG), send an OTP to the telephone number received from the dedicated application, request the dedicated application, and if the received OTP matches the sent OTP, the dedicated The ID and password requested for registration from the application can be registered.

The authentication server includes OTP authentication option information indicating whether or not to use OTP authentication, password usage information indicating whether password is used, OTP / password information storing OTP and password, and an authentication profile storing subscriber authentication key for each ID of the user terminal. Create and manage, and perform a user authentication for the user terminal using the authentication profile.

According to another aspect of the present invention, a method for controlling access to a dedicated network is a method in which an evolved packet data gateway (ePDG) controls access to a dedicated network of a user terminal, and requests a private network access of the user terminal through an untrusted access network. Requesting a packet data network gateway (PGW) to create a communication session between the user terminal and the dedicated network using a connection profile included in the dedicated network access request or a connection profile obtained from an authentication server. The untrusted access network includes a communication network that does not require a Universal Subscriber Identity Module (USIM) or a communication network of another operator other than a communication provider that provides the dedicated network. The profile may identify the user terminal. Information that is present and information required for the user terminal to access the network.

The requesting may include: when the dedicated network connection request includes the connection profile, performing authentication on whether the user terminal has the dedicated network access authority based on the connection profile in association with the authentication server; and the authentication If successful, the method may include requesting the packet data network gateway (PGW) to create the communication session.

The requesting may include: when the dedicated network connection request includes an ID and password, transmitting the ID and password to the authentication server, receiving a connection profile confirmed from the ID and password, from the authentication server; Authenticating whether the user terminal has the dedicated network access authority by interworking with the authentication server based on the received access profile, and if the authentication is successful, requesting the packet data network gateway (PGW) to generate the communication session. It may include the step.

After the requesting step, receiving a location information update from a user terminal connected to the dedicated network, transmitting a bearer change message including the updated location information to the packet data network gateway (PGW); The method may further include receiving a message, and transmitting a location information update completion to the user terminal.

Prior to the receiving, further comprising the step of transmitting a one-time password (OTP) to the authentication terminal in accordance with a dedicated network access authentication request received from the authentication terminal separate from the user terminal, the requesting step The authentication server may request creation of the communication session when both the authentication using the connection profile and the authentication for determining whether the one-time password is valid are successful.

According to another feature of the present invention, a user terminal generates a communication device for accessing an untrusted access network untrusted by a communication provider providing a private network, and a connection request signal for accessing the dedicated network, and generates the connection request signal. And a processor for transmitting to an evolved packet data gateway (ePDG) through the communication device, wherein the access request signal is transmitted by an access profile received from an authentication server or the evolved packet data gateway (ePDG). It includes authentication information to obtain the connection profile from the authentication server.

The processor receives the dedicated network access response from the evolved packet data gateway (ePDG) and connects to the dedicated network. Then, when the watchdog timer expires by running the watchdog timer, the processor updates the position information including the current position information. It may transmit to the packet data gateway (ePDG).

The untrusted access network may include a communication network that does not require a Universal Subscriber Identity Module (USIM) when connecting to a network, or a communication network of another operator other than a communication service provider providing the dedicated network.

According to another feature of the present invention, a dedicated network access control system is connected to a public Wi-Fi AP provided to an unspecified number, and is a temporary account received from a work terminal through the public Wi-Fi AP. Perform authentication to determine whether the information is valid, and if the temporary account information is valid, at the request of an authentication terminal received through a mobile communication network, a Wi-Fi authentication server that allows access to the public Wi-Fi AP of the work terminal; And a dedicated network access authentication server for obtaining temporary account information from the Wi-Fi authentication server and transmitting the temporary account information to the authentication terminal, wherein the temporary account information received from the work terminal includes the temporary account information received by the authentication terminal. The terminal may be input from the user.

The dedicated network access authentication server stores a subscriber profile including subscriber's work terminal information and authentication terminal information, and receives a public Wi-Fi AP access request of the work terminal from the authentication terminal through the mobile communication network. After checking the usage rights of the work terminal based on the determination, the temporary account may be requested to the Wi-Fi authentication server.

The dedicated network access authentication server may separately transmit a response to the public Wi-Fi AP access request, and transmit the temporary account information, and transmit the temporary account information to the authentication terminal using a message service of a communication service provider. have.

The public Wi-Fi AP access request of the work terminal is triggered by an event in which the Internet use of the work terminal is selected from a dedicated application menu of the authentication terminal, and the dedicated application menu is turned on or off a dedicated network connection through the authentication terminal. It may be divided into a setting menu and a work terminal setting menu including Internet use of the work terminal and a dedicated network connection.

Receiving a dedicated network connection request from the business terminal, and further comprises an evolved packet data gateway (ePDG) for requesting the creation of a communication session to the dedicated network, the dedicated network access authentication server, the evolved packet data gateway (ePDG) is Before receiving a dedicated network access request, the dedicated terminal receives an exclusive network access authentication request from the authentication terminal through the mobile communication network, transmits the one time password (OTP) to the authentication terminal, and interworks with the packet data gateway (ePDG). Authentication through the connection profile of the work terminal and authentication to determine whether the one-time password (OTP) is valid, and the evolved packet data gateway (ePDG), if the dedicated network access authentication server is all successful in authentication, The dedicated network may request to create a communication session.

The dedicated network access authentication server checks the dedicated network access authority of the work terminal for the dedicated network access authentication request based on the telephone number of the authentication terminal, and transmits the one-time password (OTP) if it is determined that the dedicated network access authority is present. Can be.

The dedicated network access authentication server may separately perform an operation of transmitting a dedicated network access authentication response to the authentication terminal and an operation of transmitting a message including the one-time password (OTP) to the authentication terminal.

The dedicated network access authentication server may receive a request and a response from the authentication terminal in an HTTP manner.

According to an embodiment of the present invention, a user terminal connected to a non-trusted access network that does not use the subscriber module (USIM) or cannot authenticate the subscriber module (USIM) is connected to a specific mobile operator network (Public Land Mobile Network, PLMN). Allow access to my private network.

In addition, by installing a dedicated application, it is possible to connect to a dedicated network without a separate VPN device.

In addition, a Wi-Fi business terminal, such as a laptop or a PAD, which cannot use a dedicated LTE network directly because there is no subscriber module (USIM), can be remotely connected using a dedicated network LTE authentication of a mobile terminal without using a virtual private network (VPN) server. Allows access to the private network at.

In addition, as a solution in connection with a dedicated LTE network, the authentication and history management system of the work terminal can be unified with the dedicated network LTE to increase the efficiency by integrated history management.

1 is a block diagram of a dedicated network access control system using an untrusted access network according to an embodiment of the present invention.
2 is a flowchart illustrating a process of obtaining a connection profile according to an embodiment of the present invention.
3 is a flowchart illustrating a dedicated network access procedure according to an embodiment of the present invention.
4 is a flowchart illustrating an ID / PW registration process according to an embodiment of the present invention.
5 is a flowchart illustrating a dedicated network access procedure according to another embodiment of the present invention.
6 is a flowchart illustrating an operation of a packet data network gateway (PGW) according to an embodiment of the present invention.
7 is a flowchart illustrating a location update process of a user terminal according to an embodiment of the present invention.
8 is a configuration showing an authentication profile according to an embodiment of the present invention.
9 is a configuration showing a connection profile according to an embodiment of the present invention.
10 is a configuration diagram of a dedicated network access control system using an untrusted access network according to another embodiment of the present invention.
FIG. 11 is a block diagram illustrating a detailed configuration of a dedicated network access authentication server of FIG. 10.
12 is a flowchart illustrating a process of accessing an untrusted access network according to an embodiment of the present invention.
13 illustrates a screen user interface (UI) of an authentication terminal according to an embodiment of the present invention.
14 illustrates a message reception screen of an authentication terminal according to an embodiment of the present invention.
15 is a flowchart illustrating a dedicated network access control process according to another embodiment of the present invention.
16 shows a configuration of a dedicated network access screen according to an embodiment of the present invention.
17 is a hardware block diagram of a terminal according to an embodiment of the present invention.
18 is a hardware block diagram of a network device according to an embodiment of the present invention.

DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. As those skilled in the art would realize, the described embodiments may be modified in various different ways, all without departing from the spirit or scope of the present invention. In the drawings, parts irrelevant to the description are omitted for simplicity of explanation, and like reference numerals designate like parts throughout the specification.

Throughout the specification, when a part is said to "include" a certain component, it means that it can further include other components, without excluding other components unless specifically stated otherwise.

In addition, the terms “… unit”, “… unit”, “module”, etc. described in the specification mean a unit that processes at least one function or operation, which may be implemented by hardware or software or a combination of hardware and software. have.

In the present specification, a terminal is a user device, and includes a device, a user equipment (UE), a mobile equipment (ME), a mobile station (MS), a mobile terminal (MT), a subscriber station (subscriber station, Terms such as SS, Portable Subscriber Station (PSS), User Equipment (UE), Access Terminal (AT), etc., may be referred to as mobile terminal, subscriber station, portable subscriber station, It may also include all or part of the functionality of the user device.

The base station (BS) includes an access point (AP), a radio access station (RAS), a node B (Node B), a base transceiver station (BTS), and a mobile multihop relay (MMR). ) -BS and the like, and may include all or part of the functions of an access point, a radio access station, a NodeB, a base transceiver station, an MMR-BS, and the like.

In the present specification, a Private Long Term Evolution (LTE) technology may be used. This Private LTE technology separates Packet Data Networks (PDNs) through an Evolved Packet Core (EPC) of an LTE communication system.

Here, the PDN includes a public network and a private network. Private networks can also be referred to as private networks, private networks, intranets, and dedicated LTE networks. This private network provides mobile communication services with limited external access for specific subscribers. In this case, the specific subscriber may be a corporate or group subscriber.

The public network may also be referred to as a public network, a public network, the Internet, and a general LTE network. This public network provides a mobile communication service to an unspecified number.

An access point name (hereinafter, referred to as an 'APN') is used to distinguish and serve a public network and a private network through an EPC.

The APN is information for identifying a packet data network (hereinafter, referred to as a 'PDN') to be connected in a mobile communication network, also called a PDN ID.

The high level architecture of LTE includes three main components, which can be described as including a UE, an Evolved UMTS Terrestrial Radio Access Network (E-UTRAN), and an EPC. Here, Evolved Packet System (EPS) refers to E-UTRAN and EPC.

The EPC includes a Mobility Management Entity (MME), a Serving Gateway (SGW), and a Packet Data Network Gateway (PGW). The concept of communication technology and network device configurations used in an LTE communication system may be referred to in the embodiment of the present invention. have.

Now, a private network access control system, method, and user terminal using an untrusted access network will be described with reference to the drawings.

1 is a block diagram of a dedicated network access control system according to an embodiment of the present invention.

Referring to FIG. 1, a user terminal 1 101 is connected to an ePDG 107 and an authentication server 109 through an AP 103 and an internet 105.

According to one embodiment, the user terminal 1 (101) is a terminal without a subscriber module (USIM), and is an Internet of Things (IoT) such as a PC, a tablet PC, a network closed circuit television (CCTV), or the like. It may include a terminal.

The access point 103 is an untrusted access network that does not use a subscriber module (USIM) and corresponds to a Wi-Fi AP. In this case, the untrusted access network may include a wired LAN (Local Area Network) in addition to the Wi-Fi (WiFi).

According to another embodiment, the user terminal 1 (101) is a terminal having a subscriber module (USIM), and may be a mobile terminal, a smartphone, or the like. The user terminal 1 101 may include a terminal, for example, a roaming terminal, to access a dedicated network through an untrusted access network such as a Wi-Fi network.

The user terminal 2 111 is a third party subscription terminal, and is connected to the ePDG 107 and the authentication server 109 through another operator base station 113, another operator core network 115, and the Internet 105. Here, the other operator base station 113 and the other operator core network 115 may be an LTE network or a network employing another mobile communication standard.

In this case, the other operator base station 113 and the other operator core network 115 correspond to network components of other operators other than the telecommunication service provider providing the dedicated network service.

In this case, the user terminal 2 111 may be a terminal equipped with a subscriber module (USIM), but cannot authenticate the subscriber module (USIM) in its PGW 117 that provides a dedicated network service. Accordingly, the user terminal 2 111 is treated the same as a terminal without a subscriber module USIM, and the other provider access network is included in the untrusted access network.

As such, in an embodiment of the present invention, the untrusted access network includes a communication network that does not use the subscriber module USIM, or a communication network that cannot authenticate the subscriber module USIM.

The user terminals 101 and 111 include hardware (HW) that enables IP-based communication such as an operating system (OS) supporting an Internet Protocol (IP), a Wi-Fi modem, an LTE modem, and a LAN. Thus, it is a terminal that can access the Internet 105.

The user terminals 101 and 111 may load and execute a dedicated application for accessing a dedicated network via an untrusted access network. Here, the dedicated application may be implemented in the form of a smartphone app, a client program of a PC, and an application program for an IoT terminal.

The dedicated application is capable of HTTP (HyperText Transfer Protocol) communication with the authentication server 109 using an IP (Internet Protocol) supported at the operating system (OS) level of the user terminal (101, 111). Alternatively, TCP / IP (Transmission Control Protocol / Internet Protocol) communication is possible.

 In addition, the dedicated application supports data communication by creating Internet Key Exchange Protocol (IKEv2) and Internet Protocol Security (IPSec) tunnels, and includes a connection profile management function. Here, the connection profile will be described later.

The ePDG 107 functions as a gateway that performs access to the dedicated network 121 after performing subscriber authentication of the user terminals 101 and 111. The ePDG 107 is a network device standardized in 3GPP, and provides an application service such as Voice over WiFi (VoWiFi), a carrier-specific VoD, or a real-time TV, and needs a function of guaranteeing IP continuity between WiFi and LTE. However, the ePDG 107 according to the embodiment of the present invention does not need to guarantee the continuity of IP when moving between Wi-Fi and LTE.

Even if the ePDG 107 does not have a subscriber module (USIM), a standardized function in 3GPP is modified to access a core network of an operator providing a dedicated network service through a separate authentication process, that is, its PGW 117.

The ePDG 107 performs IKEv2 server and IPSec server functions for interworking with dedicated applications of the user terminals 101 and 111.

The ePDG 107 is connected with the authentication server 109 and its PGW 117. Here, the company's and third party's standards depend on whether it is a subject that provides a dedicated network service. That is, the company that provides the private network service is its company, and the other company is classified as a third party.

The company's PGW 117 is connected to its own policy and charging rules function (PCRF) 119 and a dedicated network 121.

The company's PGW 117 may be a dedicated PGW for the dedicated network 121 and may correspond to the APN. That is, the ePDG 107 may check the APN and request creation of a session to the company's PGW 117 corresponding to the APN among at least two or more company's PGWs.

The authentication server 109 interworks with the ePDG 107 using a diameter protocol for access authentication, and directly interworks with the user terminals 101 and 111.

The authentication server 109 provides an ID / PW management and connection profile, and provides a subscriber profile for interworking with its PGW 117.

At this time, the authentication server 109 acquires and stores a subscriber profile and an access profile by directly or indirectly interworking with the subscription system 123 managing subscriber information.

Here, the information required by the ePDG 107 and the information required by the company's PGW 117 are different. The connection profile mainly contains the information needed by the ePDG 107, and the subscriber profile contains the information needed by the own PGW 117. Of course, the connection profile may also contain some of the information required by our PGW 117, such as the International Mobile Subscriber Identify (IMSI), Mobile Subcriber Directory Number (MSDN), Serving Network, and APN. (Access Point Name) is enough information for the ePDG 107 to authenticate, but for the PGW 117, the ePDG 107 is required to provide additional information as to how much bandwidth should be allocated for this APN. This information must be taken from 109 and provided to the PGW 117 so that the PGW 117 can create a session.

In this case, the authentication server 109 may include AAA (Authentication Authorization Accounting) and HSS (Home Subscriber Server) which are standard equipment.

According to an embodiment of the present disclosure, the authentication server 109 may be implemented as one physical device including an authentication server, an AAA server, and an HSS that perform connection profile management or ID / PW management functions according to an embodiment of the present invention. Can be.

According to another embodiment, the authentication server 109 may be implemented as an authentication server that performs a connection profile management or ID / PW management function according to an embodiment of the present invention, and HSS, AAA server as separate physical equipment. .

The company's PGW 117 is a 3GPP standard node, which interworks with the ePDG 107 using the GPRS Tunneling Protocol (GTP). In addition, an access policy including quality of service (QoS) or billing control information for each subscriber connected to the PCRF 119 connected to the PCRF 119 is obtained from the PCRF 119 to control PDN access, that is, dedicated network access.

Our PCRF 119 is a 3GPP standard node, and provides a PCC rule (Policy and Charging Control Rule) for subscriber traffic to interwork with a dedicated network. Here, the policy includes QoS information.

Dedicated network 121 is one of the PDN (Packet Data Network), the company's PGW 117 directly interworking through a leased line or a virtual leased line technology. Here, examples of the virtual leased line technology include a movie / performance receiver serve (MPRS), a virtual private network (VPN), and the like. By applying a technology such as a virtual local area network (VLAN) to the company's PGW 117, it is possible to interwork with a large number of dedicated networks 121.

Now, an embodiment in which the user terminals 101 and 111 access the private network using the connection profile obtained from the authentication server 109 will be described with reference to FIGS.

2 is a flowchart illustrating a process of obtaining a connection profile according to an embodiment of the present invention.

Referring to FIG. 2, the authentication server 109 provisions subscriber information, subscriber access profile, and subscriber profile of subscribers who want to access through an untrusted access network among dedicated network service subscribers (S101). Here, provisioning means storing subscriber related information in the operator equipment during the subscription process.

In this case, the subscriber information may include a phone number for OTP (One Time Password) authentication, and in this case, the phone number may include a mobile phone number.

The PCRF 119 of the company provisions an access policy (PCC rule) of subscribers who want to access through an untrusted access network among dedicated network service subscribers (S103).

User terminals 101 and 111 wishing to access a dedicated network execute a pre-installed dedicated application (S105).

The user terminals 101 and 111 check whether there is a pre-stored connection profile (S107), if not, input the telephone number registered in step S101 (S109) and transmit an authentication request to the authentication server 109 (S111).

The authentication server 109 transmits an authentication wait response to the user terminals 101 and 111 (S113), and sends an OTP to the telephone number received in step S111 (S115). Here, the OTP transmission may use the SMS service.

When the user inputs the OTP provided by the authentication server 109 to the user screen provided by the dedicated application (S117), the user terminals 101 and 111 transmit a connection profile request including the OTP to the authentication server 109. (S119).

The authentication server 109 performs OTP authentication to check whether the OTP received in step S119 is the OTP sent in step S115 (S121).

If the OTP authentication is successful, the connection profile of the user terminals 101 and 111 is checked (S123) and transmitted to the user terminals 101 and 111 (S125).

The user terminals 101 and 111 may store the received connection profile in operation S127. After this step, step S109 to step S125 may be omitted.

Alternatively, steps S107 and S127 may not be performed, and steps S109 to S125 may be performed every time the private network is accessed according to the network security policy setting.

3 is a flowchart illustrating a dedicated network access procedure according to an embodiment of the present invention, which is performed after step S125 of FIG. 2.

Referring to FIG. 3, the user terminals 101 and 111 transmit a dedicated network access request including an access profile previously stored or obtained from the authentication server 109 to the ePDG 107 (S201). Here, the connection profile generally consists of information that the user terminal should provide to the network when connecting to the network.

In this case, when the user terminals 101 and 111 access via an access such as Wi-Fi or LAN, the authentication and tunnel setup request message of the IKEv2 protocol may serve as an access request. At this time, the connection profile is included in the authentication and tunnel setup request message of the IKEv2 protocol.

The ePDG 107 identifies the user terminals 101 and 111 using the connection profile, and performs the connection profile authentication in association with the authentication server 109 (S203). Here, step S203 is an AAA authentication step according to the original 3GPP standard, in the embodiment of the present invention has been modified to enable AAA authentication using a connection profile. In step S203, the user terminals 101 and 111 are authenticated, and a procedure for determining whether the user terminals 101 and 111 can access the private network 121 using a connection profile may be included.

The ePDG 107 obtains information about its own PGW 117 from the authentication server 109 through step S203.

When the ePDG 107 succeeds in access profile authentication, the ePDG 107 requests a session creation from the company's PGW 117 (S205).

At this time, the authentication server 109 may include a function of the HSS. That is, in general, the subscriber profile of the user terminals 101 and 111 included in the HSS is stored. In operation S203, the authentication server 109 provides the subscriber profile requested by the ePDG 107. The ePDG 107 checks whether the user terminals 101 and 111 can access the private network 121 based on the subscriber profile provided from the authentication server 109 (S203). The session creation request including the information obtained from the subscriber profile is transmitted to the company's PGW 117 (S205). Here, the information included in the session creation request is IMSI, MSISDN, Serving Network, RAT Type (WLAN), Indication Flags, Sender F-TEID for C-plane, APN, Selection Mode, PAA, APN-AMBR, Bearer Contexts, Recovery , Charging characteristics, Additional Protocol Configuration Options (APCO)]), Private IE (P-CSCF, AP MAC address), and the like.

The company's PGW 117 requests and receives an access policy from the company's PCRF 119 (S207).

The company's PGW 117 connects the dedicated network 121 and the dedicated network session (S209). The session creation response is transmitted to the ePDG 107 (S211).

The ePDG 107 transmits a dedicated network access response to the user terminals 101 and 111 (S213). Thereafter, the ePDG 107 generates its own PGW 117 and a GPRS Tunneling Protocol (GTP) bearer (S215). The ePDG 107 generates an IPSec bearer with the user terminals 101 and 111 (S217).

As a result, the user terminals 101 and 111 can use the dedicated network service as if they were the IP terminals inside the dedicated network 121.

An embodiment in which the user terminals 101 and 111 access the private network using ID / PW (PassWord) will now be described with reference to FIGS. 4 to 5.

4 is a flowchart illustrating an ID / PW registration process according to an embodiment of the present invention.

Referring to FIG. 4, the authentication server 109 provisions subscriber information, subscriber access profile, and subscriber profile of subscribers who want to access through an untrusted access network among dedicated network service subscribers (S301). The company's PCRF 119 provisions the subscriber's access policy (S303).

The user terminals 101 and 111 who wish to access the dedicated network execute the pre-installed dedicated application (S305).

The user terminals 101 and 111 determine whether to register ID / PW (S307). In other words, it is determined whether the ID / PW has already been registered or is not registered, that is, the first connection.

If it is determined that the ID / PW is not registered, the user terminals 101 and 111 transmit a registration request including the ID / PW input from the user (S309) to the authentication server 109 (S311).

The authentication server 109 checks the provisioned authentication profile in step S301 to determine whether there is an OTP option (S313).

If there is an OTP option, the authentication server 109 requests and receives a telephone number to receive the OTP from the user terminals 101 and 111 (S315).

The authentication server 109 sends an OTP to the telephone number received in step S315 (S317).

The authentication server 109 requests and receives an OTP input from the user terminals 101 and 111 (S319).

The authentication server 109 performs OTP authentication to check whether the OTP received in step S319 matches the OTP sent in step S317 (S321).

The authentication server 109 registers the ID / PW requested in step S311 after step S313 or after step S321 (S323). The registration result is then returned to the user terminals 101 and 111 (S325).

5 is a flowchart illustrating a process for accessing a dedicated network according to another embodiment of the present invention, which is performed after step S325 of FIG. 4.

Referring to FIG. 5, the user terminals 101 and 111 transmit a dedicated network access request including the ID / PW input by the user to the ePDG 107 (S401).

The ePDG 107 determines whether there is a previously stored connection profile in the local cache (S403). As a result of the determination, if there is no previously stored access profile, the access profile is requested to the authentication server 109 together with the ID / PW received in step S401 (S405).

The authentication server 109 performs authentication to check whether the ID / PW received in step S405 is a registered ID / PW (S407).

If authentication is successful in step S407, the authentication server 109 checks the authentication profile to determine whether there is an OTP option (S409).

If there is an OTP option, the authentication server 109 requests and receives a telephone number to receive the OTP from the user terminals 101 and 111 (S411).

The authentication server 109 sends an OTP to the telephone number received in step S411 (S413).

The authentication server 109 requests and receives an OTP input from the user terminals 101 and 111 (S415).

The authentication server 109 performs OTP authentication to check whether the OTP received in step S415 matches the OTP sent in step S413 (S417).

If the OTP authentication succeeds in step S417, the authentication server 109 transmits the connection profile to the ePDG 107 (S419).

Here, the ePDG 107 may store the received connection profile in a local cache based on the access history.

The ePDG 107 transfers the connection profile stored in the local cache or received in step S419 to the authentication server 109 to perform the connection profile authentication (S421). Here, step S421 is an AAA authentication step according to the original 3GPP standard. In the embodiment of the present invention, the step A421 is modified to enable AAA authentication, which is the same as step S203 of FIG. 3.

If the ePDG 107 succeeds in access profile authentication in step S419, the ePDG 107 requests a session creation from its PGW 117 (S423).

The company's PGW 117 requests and receives an access policy from its PCRF 119 (S425).

The company's PGW 117 connects the dedicated network 121 and the dedicated network session (S427). The session creation response is transmitted to the ePDG 107 (S429).

The ePDG 107 transmits a dedicated network access response to the user terminals 101 and 111 (S431). And it generates its own PGW 117 and GTP bearer (S433). In operation S435, the user terminal 101, 111 and the IPSec bearer are generated. Here, steps S421 to S435 are the same as steps S203 to S217 of FIG. 3.

Meanwhile, the steps described above with reference to FIGS. 3 and 5 may be implemented using an Internet Engineering Task Force (IETF) Non 3rd Generation Partnership Project (3GPP) network ePDG interworking standard procedure.

In steps S201 and S401, the user terminals 101 and 111 transmit the IKE_SA_INIT message to the ePDG 107 to receive the IKE_SA_INIT RSP message, thereby generating the IKE_SA necessary for protecting the IKE message, and then sending the IKE AUTH_REQ message to the ePDG 107. Transmitting.

In this case, the access profile may be included in the IKE AUTH_REQ message and transmitted to the ePDG 107 in step S201. In step S401, the ID / PW may be included in the IKE AUTH_REQ message and transmitted to the ePDG 107.

In steps S203 and S421, the ePDG 107 delivers the IKE AUTH_REQ message to the authentication server 109, receives values for mutual authentication from the authentication server 109, and includes the values in the IKE AUTH_RESP message to the user terminals 101 and 111. To). Then, the user terminals 101 and 111 transmit an IKE AUTH_REQ message including the values for mutual authentication to the ePDG 107, and the ePDG 107 transmits the received IKE AUTH_REQ message to the authentication server 109. Request a subscriber profile. The authentication server 109 performs mutual authentication using the values for mutual authentication, using a connection profile.

The authentication server 109 transmits the subscriber profile to the ePDG 107 upon successful mutual authentication. The ePDG 107 transmits an IKE AUTH_RESP message for the IKE AUTH_REQ message including the values for mutual authentication to the user terminals 101 and 111. Then, the ePDG 107 receives the IKE AUTH_REQ message from the user terminal (101, 111).

In steps S205 and S423, after the ePDG 107 authenticates whether the user terminals 101 and 111 can access the private network based on the subscriber profile and the access profile, if the authentication succeeds, the PGW 117 requests the session creation. do.

After step S207 (or step S425), step S209 (or step S427), and step S211 (or step S429), in step S213 and step S431, the ePDG 107 sends the private network to the user terminal 101 or 111 through the IKE AUTH_RESP message. Send a connection response.

6 is a flowchart illustrating an operation of a packet data network gateway (PGW) according to an embodiment of the present invention, and may be performed after step S217 of FIG. 3 or after step S435 of FIG. 5.

Referring to FIG. 6, the PGW 117 of the company notifies the PCRF 119 of the access information and the usage history information of the user terminals 101 and 111 to the PCRF 119 similarly to the general private network subscriber (S501), and receives a reply response. (S503).

The PGW 117 of the company performs exclusive network access control of the user terminals 101 and 111 according to the access policy received from the PCRF 119 of the company (S505). Here, the dedicated network access control may control access permission and blocking according to access time, for example. In addition to the various embodiments are possible.

7 is a flowchart illustrating a location update process of a user terminal according to an exemplary embodiment of the present invention, which may be performed after step S217 of FIG. 3 or after step S435 of FIG. 5.

Referring to FIG. 7, after the user terminals 101 and 111 are connected to the dedicated network 121, the user terminals 101 and 111 drive the watchdog timer (S601).

The user terminals 101 and 111 determine whether the watchdog timer expires (S603), and when the watchdog timer expires, measure or confirm a location (S605).

The user terminals 101 and 111 update the measured or confirmed location information to the ePDG 107 (S607).

The ePDG 107 transmits a bearer change message (modify bearer request) including the updated location information in step S607 to its PGW 117 (S609) and receives a response (S611). Then, the ePDG 107 transmits a location information update completion message to the user terminals 101 and 111 (S613).

Thereafter, the company's PGW 117 may perform private network access control using location update information of the user terminals 101 and 111. For example, if you are outside of a dedicated network coverage area, you can disconnect from the private network.

8 is a configuration showing an authentication profile according to an embodiment of the present invention.

Referring to FIG. 8, the authentication profile 200 is a form in which an option field related to authentication is added based on a user ID, and includes an ID field 201, a use classification field 203, an OTP authentication option field 205, and a PW use. Field 207, OTP / PW field 209, and Key field 211. FIG.

The ID field 201 is information that is a key of the authentication profile, which must ensure uniqueness, and an address in the form of a telephone number or an e-mail may be used. For each authentication, a terminal or an authentication attribute may be managed for each ID using the use classification field 203. In this case, the ID in the form of an email refers to an ID used in FIGS. 4 and 5.

The use classification field 203 contains information for distinguishing the user terminals 101 and 111 or the authentication attribute corresponding to the ID.

The OTP authentication option field 205 includes information for additionally selecting a phone number when OTP authentication reception is not possible, such as an OTP transmission time or a PC, according to security settings.

The password (PW) usage field 207 is configured by the user terminals 101 and 111 to manage the connection profile as shown in FIGS. 2 and 3, and by the ePDG 107 using ID / PW as shown in FIGS. 4 and 5. Information on whether to use PW is included to classify the connection profile into a management method. At this time, if the PW is not used, it means a method using a connection profile as shown in Figs. If the PW is set to use, this means a method of requesting access to a dedicated network through ID / PW as shown in FIGS. 4 and 5.

The OTP / PW field 209 corresponds to a field capable of temporarily or permanently storing an OTP or PW value.

The key field 211 stores a virtual LTE key value normally used by a subscriber module (USIM) in case of connection profile based user authentication.

9 is a configuration showing a connection profile according to an embodiment of the present invention.

9, the connection profile 300 includes an ID 301, a virtual IMSI 303, a virtual MSDN 305, a virtual International Mobile Equipment Identity (307), an APN 309, and an aggregate maximum (AMBR). Bit Rate) 311, Protocol Configuration Option (PCO) 313, Serving Network 315, Location Information 317, and Key 319.

The ID 301 is a connection profile classification unit and criterion, which is in the form of a telephone number or an e-mail.

The virtual IMSI 303, the virtual MSDN 305, and the virtual IMEI 307 are information for identifying the user terminals 101 and 111. The virtual IMSI 303 corresponds to a unique value of the subscriber module USIM. The virtual MSDN 305 is a telephone number. The virtual IMEI 307 means a terminal unique identification code. Therefore, the virtual IMSI 303, the virtual MSDN 305, and the virtual IMEI 307 are all virtual information and are in a form allocated by a communication service provider.

The APN 309 is an APN which is a unit for dividing a private network and corresponds to the private network 121.

The AMBR 311 is a sum of bandwidths that can be determined for each APN.

The protocol configuration option (PCO) 313 is information for setting an option of a protocol, and includes an IP version and information required for connection.

The Serving Network 315 includes access network provider information.

The location information 317 includes cell ID information or Wi-Fi identifier or virtual cell information of the user terminals 101 and 111.

The key 319 is a key for subscriber authentication, and includes, for example, LTE K, and is the same as the key 211 of FIG. 8. Here, the key 319 may be optionally included in the connection profile. According to an example, the authentication server 109 may not be included when transmitting the connection profile to the ePDG 107.

The information constituting the authentication profile described with reference to FIG. 8 and the connection profile described with reference to FIG. 9 may be added, deleted, or changed as necessary. Although the configuration of the detailed profile is partially different, the scope of the present invention may not be greatly diverted from the present invention. It can be seen as inside

As described above, the dedicated network access control system according to an embodiment of the present invention connects a user terminal requesting access to a private network through an untrusted access network to the private network using an ePDG standardized in 3GPP.

In addition, by using a Wi-Fi (WiFi) network, a wired LAN (Local Area Network), other carriers LTE connection network to enable the user terminal obtained an IP connection to the dedicated PGW connected to the dedicated network, using a single point of contact using the dedicated PGW Usage management and control is possible.

In addition, other communication service provider terminals can access a dedicated network through a dedicated PGW only by installing a dedicated application without a separate relay terminal, thereby reinforcing a user's authority to select a carrier.

In addition, IoT devices that transmit large amounts of data, such as CCTV, can be connected to a dedicated network using Wi-Fi or LAN without using LTE radio resources, thus increasing resource efficiency and safely transmitting traffic to the dedicated network. have. And it is possible to access a private network by installing a dedicated application without establishing a VPN server.

Meanwhile, service providers are expanding the free Wi-Fi zone for various reasons, such as service for subscribers and compliance with government policies. Accordingly, the demand for subscribers to access a private network through a public WiFi AP at a remote location is increasing. In addition, the subscriber using the enterprise-only network service is sensitive to security problems. Therefore, as shown in FIG. 2, when the connection profile is stored in the terminal, it is necessary to reinforce the authentication procedure to prevent the leakage of the connection profile in advance. .

Hereinafter, an embodiment provides a configuration and method for controlling private network access and security authentication through a public WiFi AP, which is one of untrusted access networks.

10 is a configuration diagram of a dedicated network access control system using an untrusted access network according to another embodiment of the present invention, and FIG. 11 is a block diagram showing a detailed configuration of a dedicated network access authentication server of FIG.

Referring to FIG. 10, the user terminal includes a business terminal 401 and an authentication terminal 403.

The work terminal 401 is a terminal that wants to use a dedicated network service by accessing the dedicated network 421 at a remote location. The work terminal 401 has a Wi-Fi connection function and accesses a public Wi-Fi AP 405.

The work terminal 401 includes a dedicated application for accessing a private network, for example, a VPN (Virtual Private Network) client, and is not provided with a subscriber module (USIM). For example, it may include a notebook, a tablet PC and the like. In this case, the dedicated network service may include an enterprise dedicated LTE service.

The authentication terminal 403 is a terminal for performing the authentication for the business terminal 401 to access the private network 421 through the public Wi-Fi AP 405, and is a terminal subscribed to a dedicated network service. The authentication terminal 403 should be able to use the message service to enable authentication using the message service of the carrier, for example, may be a smartphone. The authentication terminal 403 is connected to the dedicated network access authentication server 415 through the base station 409. Here, although only the base station 409 is shown in the figure, the base station 409 is basically connected to a core network (EPC) (not shown) including a dedicated PGW 419.

The public Wi-Fi AP 405 is an AP that provides a Wi-Fi service to an unspecified number, and is an AP distributed by a communication service provider that provides a private network service. The public Wi-Fi AP 405 provides an internet access environment through Wi-Fi for the subscribers of the communication service provider. The public Wi-Fi AP 405 is directly connected to the Internet 407.

The Internet 407 refers to a public Internet network and guarantees global connectivity with a public IP.

The ePDG 411 performs IKEv2 communication and IPSec communication with the VPN client executed in the work terminal 401. The ePDG 411 performs session creation in association with AAA authentication and dedicated PGW 419 using the connection profile described with reference to FIGS. 1 to 9.

The Wi-Fi authentication server 413 creates a temporary account for the VPN client of the work terminal 401 to access the public Wi-Fi AP 405, and uses the ID and password PW assigned to the work terminal 401. ) To authenticate the access to the public Wi-Fi AP 405.

The dedicated network access authentication server 415 operates in conjunction with the ePDG 411, the Wi-Fi authentication server 413, the subscription system 417, and the message service center 423, and the configuration is divided according to functions. .

Referring to FIG. 11, the dedicated network access authentication server 415 may include a subscriber information management unit 415-1, an AP access authentication unit 415-3, a subscriber authentication unit 415-5, and a dedicated network access authentication unit 415-7. ).

The subscriber information management unit 415-1 is connected to the subscription system 417 online. The subscriber information management unit 415-1 manages a subscriber profile. Here, the subscriber profile is provisioned from the subscription system 417 and includes the subscriber's authentication information, access authority information, access history information, and the like.

The AP access authentication unit 415-3 operates in conjunction with the Wi-Fi authentication server 413. In this case, the AP access authentication unit 415-3 may interwork with the Wi-Fi authentication server 413 through a RESTFUL API or TCP / IP (Transmission Control Protocol / Internet Protocol) interworking. The AP access authentication unit 415-3 checks the use authority of the work terminal 401 based on the subscriber profile, and performs connection processing of the public Wi-Fi AP 405 of the work terminal 401 in association with the Wi-Fi authentication server 413. Perform.

The subscriber authentication unit 415-5 checks the exclusive network access authority of the work terminal 401 based on the subscriber profile, and requests the message service center 423 to transmit an One Time Password (OTP) for access to the private network.

The dedicated network access authentication unit 415-7 performs interworking with the ePDG 411 to perform private network access authentication of the work terminal 401. The dedicated network access authentication unit 415-7 performs private network access authentication based on the subscriber profile and the OTP.

At this time, the dedicated network access authentication unit 415-7 may include the PCRF function and the AAA function of the 3GPP standard, and use the ePDG 411 and the dedicated PGW 419 using a diameter and a radius. Works with

The dedicated network access authenticator 415-7 performs non-SIM AAA authentication with the ePDG 411. According to an embodiment, the dedicated network access authenticator 415-7 is connected to the VPN client of the work terminal 401. AAA authentication may be performed with the ePDG 411 based on the profile (eg, vIMSI). According to another embodiment, the dedicated network access authentication unit 415-7 is transmitted from the VPN client of the work terminal 401 and performs AAA authentication with the ePDG 411 based on the ID / PW registered in the embodiment of FIG. 4. can do.

In this case, the dedicated network access authentication server 415 may be a component additionally included in the authentication server 109 described with reference to FIGS. 1 to 9.

Referring back to FIG. 10, the dedicated PGW 419 corresponds to the PGW of the 3GPP standard, and is differentiated from the general PGW for the dedicated network service according to the private LTE technology. The dedicated PGW 419 directly interworks with the dedicated network 421 and the dedicated line.

The private network 421 is a private network of a subscriber provided with a private LTE service, and typically uses a private IP.

The message service center 423 is a server operated by a communication service provider, and processes message service transmission and reception such as SMS and MMS. The message service center 423 transmits a message to the authentication terminal 403 at the request of the dedicated network access authentication server 415.

12 is a flowchart illustrating a process of accessing an untrusted access network according to an embodiment of the present invention, FIG. 13 is a screen UI (User Interface) of an authentication terminal according to an embodiment of the present invention, and FIG. A message receiving screen of an authentication terminal according to an embodiment of the present invention is shown.

Prior to explaining the procedure of the present invention, the user's authentication terminal 403 is a dedicated network LTE subscriber, the account information of the work terminal 401 for the private network access through the subscription system 417 dedicated network access authentication server 415 It is assumed that a dedicated client for accessing a private network, for example, a VPN client, is installed in a work terminal.

First, referring to FIG. 12, when the user clicks the Internet use button on the authentication terminal 403 (S701), the public Wi-Fi AP access request is transmitted to the dedicated network access authentication server 415 (S703). That is, when the user wants to access the private network through the work terminal 401, for example, a laptop, etc. from outside the company, and executes a VPN client installed in the authentication terminal 403 of the user, as shown in FIG. 500) is provided.

Referring to FIG. 13, the screen UI 500 includes a dedicated network LTE (smartphone) menu 501 and a dedicated network LTE (business terminal) menu 503. The dedicated network LTE (smartphone) menu 501 is configured to select an unconnected or connected connection, and is a menu for accessing the dedicated network 421 from the authentication terminal 403. The dedicated network LTE (business terminal) menu 503 includes an internet usage item 505 and an internal network access item 507.

The internet use item 505 is an item for accessing the public Wi-Fi AP 405 through the work terminal 401. The dedicated network access item 507 is an item for the business terminal 401 to access the private network.

Referring back to FIG. 12, when the user clicks on the Internet use item 505 (S701), the authentication terminal 403 may transmit an HTTP REQUEST requesting a public Wi-Fi AP connection to the private network access authentication server 415. (S703).

The AP access authentication unit 415-3 of the dedicated network access authentication server 415 checks the subscriber profile based on the phone number of the authentication terminal 403, and checks whether the work terminal 401 has internet access authority (S705). .

If it is determined that the AP access authentication unit 415-3 has the internet use authority of the work terminal 401, the AP access authentication unit 415-3 requests a temporary account from the Wi-Fi authentication server 413 (S707).

The Wi-Fi authentication server 413 creates a temporary account (S709), and transmits a temporary account response including the ID and password (PassWord) of the temporary account to the AP access authenticator 415-3 (S711). Then, the AP access authenticator 415-3 transmits a public Wi-Fi AP access response, that is, an HTTP RESPONSE for the HTTP request to the authentication terminal 403 (S713). At the same time, the ID and password (PassWord) of the temporary account is transmitted to the message service center 423 to request transmission of the message to the authentication terminal 403 (S715).

The AP access authentication unit 415-3 transmits the temporary account information message requested in step S715 to the authentication terminal 403 (S717).

According to one embodiment, the Wi-Fi authentication server 413 may specify the expiration date of the temporary account, the temporary account information message may be implemented as shown in FIG.

Referring to FIG. 14, the temporary account information message P1 was issued at the request of "(0103333444), and a temporary WiFi account was issued and is valid until 15.15.2017. [Id: ps001, pw: qw1234!" Include. Here, (0103333444) refers to the telephone number of the authentication terminal 403. In addition, the temporary account contains valid time information.

At this time, the reason for transferring the temporary account information through a separate message transmission, rather than HTTP RESPONSE, is that security can be strengthened by real-time authentication of the user for removing the USIM, changing the USIM, and changing the phone number.

Referring back to FIG. 12, the work terminal 401 executes the Wi-Fi access screen and inputs the temporary account information received in step S717, that is, Id and pw of FIG. 14 (S719), and the public Wi-Fi AP 405. Request a connection (S721).

The public Wi-Fi AP 405 performs connection authentication with the Wi-Fi authentication server 413 (S723). That is, the public Wi-Fi AP 405 determines whether the temporary account information received in step S721 matches the temporary account information generated in step S709. For example, it is determined whether Id and pw of FIG. 14 coincide with the information generated in step S709.

If the access authentication is successful, the public Wi-Fi AP 405 transmits an access permission to the work terminal 401 (S725). Then, the work terminal 401 is connected to the Internet 407 via the public Wi-Fi AP 405 (S727).

Steps S701 to S727 described above may be performed before step S201 of FIG. 3 or step S401 of FIG. 5.

15 is a flowchart illustrating a process for controlling access to a private network according to another embodiment of the present invention, and FIG. 16 is a diagram illustrating a configuration of a dedicated network access screen according to an embodiment of the present invention.

At this time, the work terminal 401 of the user can be connected and used without a separate VPN client in the case of using the Internet. However, if you want to access the private network, you need to install the VPN client in advance, and it is assumed that the ID and PW for accessing the private network are separately assigned and used. This ID and PW are the same as the ID / PW used by the ePDG to obtain a connection profile as described above.

Referring to FIG. 15, when a user wants to access a dedicated network remotely in addition to a simple internet service, a dedicated app UI of the user authentication terminal 403, that is, the “dedicated network access” item 507 from the item 503 of FIG. 13. If it is clicked (S801), the dedicated network access request is transmitted to the dedicated network access authentication server 415 (S803). In this case, an HTTP request for requesting a private network connection may be transmitted.

Then, the subscriber authentication unit 415-5 of the dedicated network access authentication server 415 recognizes that it is the dedicated network access request of the work terminal 401 based on the dedicated network access request received in step S803. The subscriber authentication unit 415-5 checks the subscriber profile based on the phone number of the authentication terminal 403 and confirms the access authority information of the work terminal 401 (S805). If the work terminal 401 is confirmed to be a terminal to which the dedicated network access authority is granted, it transmits the HTTP response to the authentication terminal 403 in response to the dedicated network access request (S807).

Subscriber authentication unit (415-5) generates the OTP (S809), and requests the OTP transmission to the message service center (423) (S811). Then, the message service center 423 transmits the OTP message to the authentication terminal 403, where the OTP message may be implemented as shown in FIG.

Referring to FIG. 14, the OTP message may include the phrase "OTP for access to the private network has been issued at the request of (0103333444), and request again when reconnecting. [OTP:! ^ New5678]".

Referring back to FIG. 15, the work terminal 401 receives access information (ie, ID, PW, OTP) from the user on the dedicated network access screen as shown in FIG. 16 (S815), and requests the ePDG 411 to access the dedicated network. It transmits (S817). At this time, the dedicated network access request includes the VIMSI already included in the VPN client of the work terminal 401 and the OTP and ID / PW input in step S815.

The ePDG 411 performs connection authentication with the dedicated network access authentication unit 415-7 of the dedicated network access authentication server 415 (S819). In this case, step S819 is similar to step S421 of FIG. 5 in that connection authentication, that is, AAA authentication is performed based on the connection profile. In particular, as in step S421 of FIG. 5, the connection profile of the work terminal 401 registers the ePDG 411 in advance through FIG. 4 and obtains a connection profile matching the ID / PW input in step S815.

However, the step S819 differs from step S421 of FIG. 5 in that it adds OTP authentication. The dedicated network access authenticator 415-7 performs access profile authentication that matches the ID / PW, and performs authentication to determine whether the OTP is the OTP generated in step S809. In this embodiment, each time the business terminal 401 accesses the private network, steps S801 to S813 are performed, and OTP authentication is added.

If the ePDG 411 succeeds in access authentication in step S819, the ePDG 411 transmits a session creation request to the dedicated PGW 419 (S821). The dedicated PGW 419 performs PDN (Packet Data Network) authentication with the dedicated network access authentication server 415 (S823). The dedicated network access authentication unit 415-7 transmits the access policy or the dedicated network access control information (traffic control information, etc.) to the dedicated PGW 419.

If PDN authentication is normally processed in the dedicated PGW 419, the private network IP information is included in the session creation response and transmitted to the ePDG 411 (S825).

The ePDG 411 transmits the dedicated network access response including the dedicated network IP information to the work terminal 401 (S827).

Then, IPSec tunneling (S829) is generated between the work terminal 401 and the ePDG 411, GTP tunneling (s831) is generated between the ePDG (411) and the dedicated PGW (419), the work terminal 401 is a dedicated network ( 421).

As described above, in the present invention, by receiving and authenticating OTP information in addition to ID / PW, connection can be made impossible when the work terminal 401 is lost or stolen.

Although the above embodiment has described a case of accessing a private network through a public Wi-Fi AP, FIG. 15 illustrates a process of performing a step S801 after accessing a private Wi-Fi AP, that is, a user through a subscriber account rather than a temporary account. You may.

According to this embodiment, the service user accesses the Internet by accessing the public Wi-Fi AP 405 as a work terminal 401 from the outside through a dedicated network LTE authentication, that is, a work terminal 401 in which a VPN client is installed and only a Wi-Fi connection is available. Can be used. You can also use the remote dedicated network access function. In addition, in connection with the authentication terminal 403 during basic authentication, a strong user authentication function may be provided through a message service, for example, SMS-based OTP authentication.

Therefore, the subscriber member (user) can use the Internet as a work terminal 401 by LTE network authentication through the authentication terminal 403, without separately applying for a public Wi-Fi AP access account of the corresponding carrier.

In addition, the subscriber member (user) can be granted OTP through the dedicated network LTE authentication without accessing the VPN server in the Internet connection state of the work terminal 401 and access the dedicated network 421 to the work terminal 401. In addition, the OTP authentication may be used together when accessing the dedicated network to the work terminal 401, thereby increasing the security of the dedicated network 421.

In addition, the manager may integrally manage the connection history of the work terminal 401 and the authentication terminal 403 as a dedicated network LTE management screen as shown in FIG. 13 without separately operating a VPN server.

FIG. 17 is a hardware block diagram of a terminal according to an embodiment of the present invention. FIG. 17 illustrates hardware configurations of the user terminals 101 and 111, the work terminal 401, and the authentication terminal 403 described with reference to FIGS. 1 to 16. Indicates.

Referring to FIG. 17, the terminal 600 is composed of hardware including a memory device 601, a storage device 603, a communication device 605, a display 607, a processor 609, and the like, and is located at a designated place. Stores programs that run in conjunction with hardware. Hardware has the configuration and performance to implement the present invention. The program includes instructions implementing the operating method of the present invention described with reference to FIGS. 1 to 16, and implements the present invention in combination with hardware such as a memory device 601 and a processor 609.

FIG. 18 is a hardware block diagram of a network device according to an embodiment of the present invention. The ePDGs 107 and 411, the authentication server 109, the PGW 117, and the Wi-Fi authentication server 413 described in FIGS. 1 to 16 are illustrated. , Dedicated network connection authentication server 415 and dedicated PGW 419, respectively.

Referring to FIG. 18, the network device 700 is composed of hardware including a memory device 701, a storage device 703, a communication device 705, a processor 707, and the like, and is combined with hardware at a designated place. The program to be executed is stored. Hardware has the configuration and performance to implement the present invention. The program includes instructions for implementing the operating method of the present invention described with reference to FIGS. 1 to 16, and implements the present invention in combination with hardware such as the memory device 701 and the processor 707.

The embodiments of the present invention described above are not only implemented through the apparatus and the method, but may be implemented through a program for realizing a function corresponding to the configuration of the embodiments of the present invention or a recording medium on which the program is recorded.

Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of rights.

Claims (28)

An authentication server for storing a connection profile of a user terminal and performing connection profile authentication for determining whether the user terminal has a right to access a private network based on the connection profile; and
Receiving a dedicated network access request from the user terminal through an untrusted access network, performing an access profile authentication with the authentication server using the access profile of the user terminal extracted from the dedicated network access request, and then successfully accessing the connection profile. And an evolved packet data gateway (ePDG) requesting a packet data network gateway (PGW) to create a communication session between the user terminal and a dedicated network.
The untrusted connection network,
It includes a communication network that does not require a Universal Subscriber Identity Module (USIM) when connecting to a network, or a communication network of another operator other than a communication provider that provides the dedicated network.
The authentication server,
Before the advanced packet data gateway (ePDG) receives the dedicated network access request, the user terminal performs one time password (OTP) authentication on the user terminal, and when the OTP authentication succeeds, the previously stored access profile is stored. Private network access control system for transmitting to the user terminal. In claim 1,
The connection profile is,
Terminal identification information including at least one of a virtual International Mobile Subscriber Identify (IMSI), a virtual Mobile Subcriber Directory Number (MSDN), a virtual International Mobile Equipment Identity (IMEI), an access point name (APN), and a subscriber unit that distinguishes a private network. A private network access control system comprising an authentication key. delete In claim 1,
The authentication server,
Before the advanced packet data gateway (ePDG) receives the dedicated network access request of the user terminal, the dedicated packet data gateway (ePDG) receives the dedicated network access authentication request from the authentication terminal separate from the user terminal, and transmits a one-time password (OTP) to the authentication terminal. and,
When a dedicated network access request is received from the evolved packet data gateway (ePDG), authentication is performed to determine whether the one-time password (OTP) is valid together with the access profile authentication.
The evolved packet data gateway (ePDG),
If the authentication server succeeds in all of the authentications, request to create the communication session,
The dedicated network access authentication request is transmitted through a mobile communication network,
The dedicated network connection request is transmitted through an untrusted access network. In claim 4,
The authentication server,
And confirming the dedicated network access authority of the user terminal with respect to the dedicated network access authentication request based on the telephone number of the authentication terminal, and transmitting the one time password (OTP) if it is determined that the dedicated network access authority is present. In claim 5,
The authentication server,
And separately transmitting the private network access authentication response to the authentication terminal and transmitting the message including the one-time password (OTP) to the authentication terminal. In claim 1,
The authentication server,
Receiving an authentication request from a dedicated application executed in the user terminal, sending an One Time Password (OTP) to a phone number included in the authentication request, and if the OTP received from the dedicated application matches the sent OTP Transmitting the access profile of the user terminal to the user terminal,
The evolved packet data gateway (ePDG),
And a private network access request including the connection profile from the user terminal. An authentication server for storing a connection profile of a user terminal and performing connection profile authentication for determining whether the user terminal has a right to access a private network based on the connection profile; and
Receive a dedicated network access request from the user terminal through an untrusted access network, obtain a connection profile from the authentication server using the ID and password extracted from the dedicated network access request, and based on the obtained access profile, the authentication server and the connection profile After performing authentication, if the connection profile authentication is successful, an Evolved Packet Data Gateway requesting a packet data network gateway (PGW) to create a communication session between the user terminal and a dedicated network. ePDG),
The untrusted connection network,
It includes a communication network that does not require a Universal Subscriber Identity Module (USIM) when connecting to a network, or a communication network of another operator other than a communication provider that provides the dedicated network.
The authentication server,
And if the ID and password received from the evolved packet data gateway (ePDG) are pre-registered information, transmit a previously stored connection profile to the evolved packet data gateway (ePDG). In claim 8,
The evolved packet data gateway (ePDG),
Storing the access profile of the user terminal received from the authentication server together with the access history of the user terminal in a local cache,
When the dedicated network connection request is received, if there is no connection profile stored in the local cache, requesting and receiving the authentication server, private network access control system. In claim 8,
The authentication server,
When a registration request is received from a dedicated application executed in the user terminal, the ID and password included in the registration request are registered.
And a connection profile of the user terminal when the ID and password received from the evolved packet data gateway (ePDG) are pre-registered information. In claim 10,
The authentication server,
Send an OTP (One Time Password) to the phone number verified through the ID and password, and if the OTP received by requesting the dedicated application matches the sent OTP, the access profile of the user terminal is evolved. To a packet data gateway (ePDG),
Dedicated network access control for sending an OTP to the telephone number received from the dedicated application, and if the received OTP matches the received OTP and the sent OTP matches, the registered ID and password are registered from the dedicated application. system. In claim 11,
The authentication server,
Generate and manage OTP authentication option information indicating OTP authentication, password use information indicating whether password is used, OTP / password information storing OTP and password, and an authentication profile storing subscriber authentication key for each ID of the user terminal;
And a user authentication for the user terminal using the authentication profile. delete A method for controlling an access to a dedicated network of an user terminal by an evolved packet data gateway (ePDG),
Receiving a request for access to a dedicated network through an untrusted access network from a user terminal,
Extracting a connection profile from the dedicated network access request;
Performing connection profile authentication to determine whether the user terminal has a dedicated network access authority based on the extracted access profile in association with an authentication server;
If the connection profile authentication is successful, requesting a packet data network gateway (PGW) to create a communication session between the user terminal and a dedicated network;
The untrusted connection network,
It includes a communication network that does not require a Universal Subscriber Identity Module (USIM) when connecting to a network, or a communication network of another operator other than a communication provider that provides the dedicated network.
The connection profile is,
Before the evolved packet data gateway (ePDG) receives the dedicated network access request, if the one time password (OTP) authentication performed by the authentication server for the user terminal is successful, the user from the authentication server Private network access control method is transmitted to the terminal. A method for controlling an access to a dedicated network of an user terminal by an evolved packet data gateway (ePDG),
Receiving a request for access to a dedicated network through an untrusted access network from a user terminal,
If the dedicated network access request includes an ID and password, transmitting the ID and password to an authentication server;
Receiving a connection profile confirmed from the ID and password from the authentication server,
Performing connection profile authentication to determine whether the user terminal has the dedicated network access authority in association with the authentication server based on the received connection profile; and
If the connection profile authentication is successful, requesting a packet data network gateway (PGW) to create a communication session,
The untrusted connection network,
It includes a communication network that does not require a Universal Subscriber Identity Module (USIM) when connecting to a network, or a communication network of another operator other than a communication provider that provides the dedicated network.
The connection profile is,
And information for identifying the user terminal and information required for the user terminal to access a network. The method of claim 14,
After the requesting step,
Receiving location information updates from a user terminal connected to a communication session on the dedicated network;
Receiving a bearer change response message by transmitting a bearer change message including updated location information to the packet data network gateway (PGW); and
Transmitting a location information update completion to the user terminal;
Included, dedicated network access control method. The method of claim 14,
Prior to the receiving step,
And transmitting a one time password (OTP) to the authentication terminal according to a dedicated network access authentication request received from the authentication terminal separate from the user terminal.
The requesting step,
And if the authentication server succeeds in both authentication using the connection profile and authentication to determine whether the one-time password is valid, requesting to create the communication session. A user terminal accessing a private network through an untrusted access network,
A communication device connected to the untrusted access network, and
A processor for transmitting an access request signal for accessing the dedicated network to an evolved packet data gateway (ePDG) through the communication device;
The connection request signal,
Optionally includes a connection profile or ID and password,
The connection profile is,
The evolved packet data gateway (ePDG) is used for access profile authentication to determine whether the user terminal has a dedicated network access authority in association with an authentication server.
The connection profile included in the connection request signal is
If the OTP (One Time Password) authentication performed by the authentication server on the user terminal before the access request signal is transmitted, is received from the authentication server,
ID and password included in the access request signal,
And the connection profile is transmitted from the authentication server to the evolved packet data gateway (ePDG) if it matches the information registered in advance in the authentication server. The method of claim 18,
The processor is
After receiving a dedicated network access response from the evolved packet data gateway (ePDG) and connecting to the dedicated network,
And drive a watchdog timer to send a location information update including current location information to the evolved packet data gateway (ePDG) when the watchdog timer expires. The method of claim 18,
The untrusted connection network,
A user terminal including a communication network that does not require a Universal Subscriber Identity Module (USIM) when connecting to a network, or a communication network of another operator other than a communication provider that provides the dedicated network. Connected with a public Wi-Fi AP (Access Point) provided to an unspecified number of persons, performs access authentication to determine whether temporary account information received from a work terminal through the public Wi-Fi AP is valid, and performs the temporary account If the information is valid, a Wi-Fi authentication server that allows the public Wi-Fi AP access of the business terminal, and
A dedicated network access authentication server for acquiring the temporary account information from the Wi-Fi authentication server and transmitting the temporary account information to the authentication terminal according to a request of the authentication terminal received through a mobile communication network;
The temporary account information received from the business terminal,
And the work terminal receives the temporary account information received by the authentication terminal from a user. The method of claim 21,
The dedicated network connection authentication server,
Store a subscriber profile including subscriber's work terminal information and authentication terminal information,
When the public Wi-Fi AP access request of the work terminal is received from the authentication terminal through the mobile communication network, the user authority is checked based on the subscriber profile. Requesting the temporary account. The method of claim 22,
The dedicated network connection authentication server,
Separately transmitting a response to the request for accessing the public Wi-Fi AP and transmitting the temporary account information;
A private network access control system for transmitting the temporary account information to the authentication terminal using a message service of a communication service provider. The method of claim 23,
The public Wi-Fi AP access request of the business terminal,
From the dedicated application menu of the authentication terminal, the Internet use of the business terminal is triggered by the event is selected,
The dedicated application menu,
A private network access control system divided into a dedicated network connection on / off setting menu through the authentication terminal and a work terminal setting menu including Internet use of the work terminal and a dedicated network connection. The method of claim 21,
An evolved packet data gateway (ePDG) for receiving a dedicated network access request from the business terminal and requesting to create a communication session to the dedicated network;
The dedicated network connection authentication server,
Before the advanced packet data gateway (ePDG) receives the dedicated network access request, the ETPG receives a dedicated network access authentication request from the authentication terminal through the mobile communication network, and provides the authentication terminal with a one time password (OTP). Send,
In connection with the packet data gateway (ePDG) performs authentication through the connection profile of the work terminal and authentication to determine whether the one-time password (OTP) is valid,
The evolved packet data gateway (ePDG),
And if the dedicated network access authentication server succeeds in all the authentications, request to create a communication session to the dedicated network. The method of claim 25,
The dedicated network connection authentication server,
And confirming the dedicated network access authority of the work terminal for the private network access authentication request based on the telephone number of the authentication terminal, and transmitting the one-time password (OTP) if it is determined that the dedicated network access authority is present. The method of claim 25,
The dedicated network connection authentication server,
And separately transmitting the private network access authentication response to the authentication terminal and transmitting the message including the one-time password (OTP) to the authentication terminal. The method of claim 25,
The dedicated network connection authentication server,
Private network access control system for receiving a request and response in the HTTP method with the authentication terminal.

Images